Package: sfs-client
Version: 1:0.8-0+pre20060720.1-1
Severity: normal
At lines 120-121 of /etc/init.d/sfs-client one finds
$0 stop
$0 start
But at line 25, the script executes
cd /var/lib/sfs/
This potentially allows an incorrect script to be run if (for example)
an attacker installed a script called /var/lib/sfs/sfs-client and root
invoked the control script in /etc/init.d/ as ./sfs-client. At line
120 ./ refers to a different directory.
It's also inconvient, since simply executing ./sfs-client fails
because /var/lib/sfs/sfs-client doesn't exist.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages sfs-client depends on:
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-11 GCC support library
ii libgmp3c2 2:4.2.1+dfsg-4 Multiprecision arithmetic library
ii libsfs0c2 1:0.8-0+pre20060720.1-1 Self-Certifying File System shared
ii libstdc++6 4.1.1-11 The GNU Standard C++ Library v3
ii python 2.4.3-11 An interactive high-level object-o
ii sfs-common 1:0.8-0+pre20060720.1-1 Self-Certifying File System common
sfs-client recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
